Centris recommends the following four (4) phased approach when conducting data mapping assessments. Phase I: Analysis & Scoping – Measures to undertake include having a solid understanding of why such an assessment is being undertaken, what departments, systems, and personnel are considered in scope, and more. Additional factors to consider for this initial phase: Identifying data groups (i.e., consumer data, federal data, internal employee data, corporate IP, etc.) and the relevant data types associated with each group. Beginning to conceptualize and understand the data flows for the data groups. Assigning key roles, responsibilities, high-level deliverables, and overall expectation for such an exercise. Assessing information security/cybersecurity controls, along with third-party entities deemed in scope. Assessing regulatory compliance requirements (i.e., GDPR, CCPA, PIPEDA, federal agency compliance, etc.). Phase II: Information Flow – Measures to undertake include conceptualizing, confirming – and then documenting – the information flow of all data groups and associated data types throughout the organization. When documenting the information flow, it’s critical to touch on the following elements: data items, format of data, location of data, access to data, and more. Additional factors to consider for this phase include the following: Collection – Where is data being collected from, in what manner, from what external entities, transmission protocols, etc? Used – What is the overall use and lawful purpose of the data being collected? Shared & Disclosed – Who is data being shared with – both internally and externally (i.e., third-parties), the specific data sets being shared, the rationale why? Storage and Protection – For data resident in an organization's information systems, how is it being stored and protected (i.e., encryption, etc.)? Retention – What established data retention periods are in place and the rationale for it? Disposal – How is data disposed of when no longer needed? Phase III: Reporting – To make sense - and provide true value - of a data mapping exercise, it’s important to develop a final data mapping report that includes the following information: Initial findings for all in-scope data groups and data sets. Recommendations and requirements to be implemented for the entire data flow lifecycle. Formalized action plan, complete with milestones and deliverables necessary for successful data management. Phase IV: Remediation – You’ll no doubt find areas within your data lifecycle that ultimately require remediation. From drafting stronger policy documents to making changes to controls, and more, remediation is essential, and very common.